SB2019091157 - Multiple vulnerabilities in py-lmdb
Published: September 11, 2019 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2019-16224)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in py-lmdb 0.97. For certain values of md_flags, mdb_node_add does not properly set up a memcpy destination, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
2) Buffer overflow (CVE-ID: CVE-2019-16225)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in py-lmdb 0.97. For certain values of mp_flags, mdb_page_touch does not properly set up mc->mc_pg[mc->top], leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
3) Buffer overflow (CVE-ID: CVE-2019-16226)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in py-lmdb 0.97. mdb_node_del does not validate a memmove in the case of an unexpected node->mn_hi, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
4) Buffer overflow (CVE-ID: CVE-2019-16227)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in py-lmdb 0.97. For certain values of mn_flags, mdb_cursor_set triggers a memcpy with an invalid write operation within mdb_xcursor_init1. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
5) Division by zero (CVE-ID: CVE-2019-16228)
The vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to division by zero error when processing untrusted input in the function mdb_env_open2 if mdb_env_read_header obtains a zero value for a certain size field. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker. A remote attacker can perform denial of service attack.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/TeamSeri0us/pocs/tree/master/lmdb/lmdb%20initialization%20vuln
- https://github.com/TeamSeri0us/pocs/tree/master/lmdb/lmdb%20write%20to%20illegal%20address
- https://github.com/TeamSeri0us/pocs/tree/master/lmdb/lmdb%20memory%20corruption%20vuln
- https://github.com/TeamSeri0us/pocs/tree/master/lmdb/lmdb%20memcpy%20illegal%20dst
- https://github.com/TeamSeri0us/pocs/tree/master/lmdb/FPE